CVE-2022-30117
Description
Concrete CMS versions prior to 9.1.0 and 8.5.8 contain a path traversal vulnerability in the file upload endpoint, allowing authenticated attackers to delete arbitrary files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Concrete CMS versions prior to 9.1.0 and 8.5.8 contain a path traversal vulnerability in the file upload endpoint, allowing authenticated attackers to delete arbitrary files.
Vulnerability
Overview
CVE-2022-30117 is a path traversal vulnerability in the /index.php/ccm/system/file/upload endpoint of Concrete CMS. The vulnerability exists in versions 8.5.7 and below, as well as 9.0 through 9.0.2. The root cause is insufficient sanitization of file paths during the upload process, allowing an attacker to traverse directories and delete arbitrary files on the server [1][2].
Exploitation
To exploit this vulnerability, an attacker must be authenticated with high privileges (CVSS PR:H). The attack is network-based and requires no user interaction. By crafting a malicious file upload request with path traversal sequences (e.g., ../), the attacker can cause the application to delete files outside the intended upload directory [2].
Impact
Successful exploitation leads to arbitrary file deletion, which can result in denial of service or integrity loss. The CVSS v3.1 score is 5.8 (Medium) with a vector of AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H, highlighting the high availability impact [2].
Mitigation
The vulnerability is fixed in Concrete CMS versions 9.1.0 and 8.5.8. Administrators are strongly advised to upgrade to these versions immediately. The fix includes sanitizing the upload path and adding early validation in the isFullChunkFilePresent function [1][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
concrete5/corePackagist | >= 9.0.0, < 9.1.0 | 9.1.0 |
concrete5/corePackagist | < 8.5.8 | 8.5.8 |
Affected products
2- Concrete CMS/Concrete CMSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-3jxh-6635-6jwpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-30117ghsaADVISORY
- documentation.concretecms.org/developers/introduction/version-history/858-release-notesghsax_refsource_MISCWEB
- documentation.concretecms.org/developers/introduction/version-history/910-release-notesghsax_refsource_MISCWEB
- hackerone.com/reports/1482280ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.